5.7 Scripting Policy

The following instructions assume that you are on the Configure Security Settings page in the Create New Security Settings Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Security Settings policy (see Editing a Policy’s Details).

The Scripting policy lets you run a script (JScript or VBScript) on a device. You can specify the triggers that cause the script to run. Triggers can be based on Endpoint Security Agent actions, location changes, or time intervals.

5.7.1 Define Script Settings

The Script Settings panel lets you define the language, content, and execution space for the script.

Run As

Select whether you want the script to run in the system context or the user context:

  • System: The script runs with the same rights as a Windows service.

  • User: The script runs with the rights provided by the current user session.

Language

Select JScript or VBScript as the scripting language.

Script Content

Click Edit to add the script content.

ZENworks supports standard JScript and VBScript coding methods, with the following exceptions.

  1. WScript.Echo is not supported because return values can’t be sent back to a parent window that is unavailable. Use the Action.Message ZENworks Endpoint Security Management API instead.

  2. Access to Shell Objects. Use the following modified nomenclature/call:

    [JScript] 
       Use: 
       var WshShell = new ActiveXObject("WScript.Shell");
       Instead of: 
       var WshShell = WScript.CreateObject ("WScript.Shell");
    
    [VBScript] 
       Use:
       Dim WshShell
       Set WshShell = CreateObject("WScript.Shell")
       Instead of:
       Dim WshShell
       Set WshShell = WScript.CreateObject("WScript.Shell")

ZENworks also provides a scripting interface that lets you create advanced scripts. Using the scripting interface, you can determine current state of the Endpoint Security Agent, run actions that change the behavior of the agent or interact with the user, and store variables for use by the script during the current session or across sessions.

For more details about the scripting interface, see the ZENworks Endpoint Security Scripting Reference.

5.7.2 Define Trigger Settings

The Trigger Settings panel lets you determine when the script runs. There are three types of triggers that initiate execution of the script:

  • Agent Triggers: Executes the script based on one or more Endpoint Security Agent actions, such as the enforcement of the Scripting policy or the change from one network environment to another.

  • Location Trigger: Executes the script when changing from one location to another.

  • Time Trigger: Executes the script according to a specified time interval.

You can use one or more of the trigger types to ensure that the script runs at the appropriate times.

Agent Triggers

The Agent Triggers settings executes the script based on one or more Endpoint Security Agent actions, such as the enforcement of the Scripting policy or the change from one network environment to another. Select one or more of the following actions:

  • Enforcement of this policy: Executes the script any time this policy is enforced. Enforcement occurs on device startup (zone-assigned and device-assigned policies), user-login (user-assigned policies), and policy updates.

  • Any security policy change: Executes the script any time the agent receives a change to any of the security policies (Firewall, Communication Hardware, and so forth).

  • Network change: Executes the script any time the agent detects a network change that could affect the location assignment. This involves changes to the device’s actual network environment (IP addresses, access points, and so forth) and the network environment definitions used to determine location.

  • Network connect: Executes the script any time a network connection occurs. This could be a wired network that is detected after plugging in a network cable, a wireless network detected through an access point, a network detected through a modem, or more.

  • Network disconnect: Executes the script any time a network disconnection occurs.

Location Trigger

The Location Trigger setting executes the script based on a location change. The trigger consists of two conditions that are evaluated to determine if the script should run:

  • The location from which the device is switching. This is referred to as the “from” location.

  • The location to which the device is switching. This is referred to as the “to” location.

The script is run only if the “from” and “to” locations are different.

Enable Location Trigger

Select this option to enable the location trigger.

Run When Switching From

This setting lets you define the first of the two conditions, the “from” locations:

  • Any location: Select this option if you want all locations to qualify as valid “from” locations.

  • Selected locations: Select this option if you want to designate one or more specific locations as valid “from” locations.

    The “from” location and “to” location lists can include the same location. For example, assume that you want the script to be triggered when the location changes from A to B or from B to A. You can add both A and B to the “from” location list and the “to” location list.

And When Switching To

This setting lets you define the second of the two conditions, the “to” locations:

  • Any location: Select this option if you want all locations to qualify as valid “to” locations.

  • Selected locations: Select this option if you want to designate one or more specific locations as valid “to” locations.

    The “from” location and “to” location lists can include the same location. For example, assume that you want the script to be triggered when the location changes from A to B or from B to A. You can add both A and B to the “from” location list and the “to” location list.

Must Be a Manual Change

A location change can be automatic or manual. An automatic location change occurs when the Endpoint Security Agent detects a change in the network environment that results in a new location assignment. A manual change occurs when a device’s user manually selects a new location from the agent’s Locations list.

Select this option if you only want the script to run when the user manually changes the location. Any automatic changes will not trigger execution of the script.

Time Trigger

The Time Trigger setting executes the script at a designated interval. The interval begins upon initial enforcement of the policy. If the policy is changed and republished, the interval is restarted.

The interval includes a one-minute boundary, meaning that the script is run within a minute (plus or minus) of the end of the interval.

Select the option to enable it, then enter the interval between each running of the script.